Once upon a time, not so very long ago, cookies were a tasty treat, tracking was something hunters did in the woods, browsing meant taking a stroll through the mall, the preferred family mobile device was the station wagon, and the only threat from a cloud was a thunderstorm.
In that pre-digital age, Congress wrote most of America’s federal privacy laws. Their authors could not envision technology that would allow both commercial interests and law enforcement authorities to pinpoint a person’s location with geo-tracking and profile his lifestyle, financial status and health by tracking his online activities. Nor did they imagine the threat sophisticated hackers could pose to personal financial and medical information as well as corporate intellectual property and trade secrets, whether stored on a laptop, mobile device, corporate server or in the cloud.
In a May 2012 speech to D.C. Superior Court judges, Erica Newland, senior policy analyst at the Center for Democracy & Technology, argued that antiquated privacy laws leave the nation poorly equipped to preserve any measure of privacy in an age of digital ubiquity where the technology to collect data surrounds everyone and data has become a valuable commodity. “Technology and policy both play powerful roles in framing what is possible and how we live our lives, and … changes in technology must be accompanied by changes to policy,” she said.
Her speech echoed calls by the Obama administration in its Consumer Privacy Bill of Rights, issued early in 2012. But the appeals of both consumer privacy advocates and the administration to a bitterly divided Congress have gone unheeded. In the meantime, the Federal Trade Commission (FTC) is employing its authority to regulate deceptive and unfair practices to go after companies that impinge on consumer privacy.
On the following pages, InsideCounsel reviews the status of federal policy and enforcement regarding some of the key issues in consumer privacy.
Many Washington observers doubt there will be any substantive action from the current Congress on consumer privacy.
“I’m pessimistic,” says William Baker, of counsel at Wiley Rein. “Congress has been facing these issues for more than a decade, and the issues simply get more complicated when you start introducing subjects that were not even being discussed five years ago, such as mobile applications, location tracking, Big Data and cloud computing.”
Littler Mendelson Shareholder Philip Gordon is another pessimist. “There may be legislation around the edges [such as amendments to update the 1986 Stored Communications Act],” he says. “But I am skeptical because there are bigger issues on the legislative agenda and continuing concerns coming out of the recession about the economic impact of regulation.”
Gordon also notes that the Obama administration is promoting a self-regulatory approach to privacy protection that could proceed without new legislation. For example, the FTC and the Department of Commerce are sponsoring multistakeholder meetings to develop a voluntary code of conduct for the mobile app industry, a process Baker says has taken longer than anyone expected with the outcome still uncertain at press time.
Baker says although there is a lot of interest in consumer privacy on Capitol Hill, rifts between and within the parties stand in the way of Congressional action.
“Democrats are more interested than Republicans, who tend to want to take a hands-off approach and see what develops,” he says. “But even within the parties, there can be differences in approach.” For example, he points to a split in the Democrat-controlled Senate over whether to approach the issue as a regulatory matter, vesting the FTC with more authority to regulate privacy issues, or as a criminal matter, giving the responsibility to law enforcement officials.
“It’s a challenge getting to a consensus approach,” Baker says. “Do you leave it to the FTC, or set a law and have it enforced on a criminal basis? That’s a tough decision to make. And once you decide on approach, there can be lots of disagreements on the details—which practices you want to permit and which you want to regulate in some way.”
For example, law enforcement groups oppose efforts to ban or restrict location tracking, which can be a valuable asset in finding criminals but impinges on the privacy of law-abiding citizens. “Congress has to consider what access to allow to law enforcement, and that is not an easy decision to make,” Baker says.
Baker predicts Congress will hold hearings in 2013 on location tracking, Big Data and children’s privacy and conduct oversight hearings on the FTC’s consumer privacy activity, but no bills will pass. “There will be legislation introduced, and some will pass committee, but it’s difficult to go further than that,” he says.
Hogan Lovells Partner Christopher Wolf is more optimistic. He likens the status of privacy legislation to environmental legislation, which finally passed in the form of the Clean Water Act and the Clean Air Act in the early 1970s after more than a decade of discussion. After a similar period of debate, Wolf thinks the time may have come for a comprehensive privacy bill, such as the administration’s Consumer Privacy Bill of Rights, which would cover all personal data, extending federal regulation far beyond the medical, financial and children’s data privacy protections now in effect. It would require notice and consent for accessing personal data and disclosure on how it would be used. And it would provide a safe harbor for companies that sign onto voluntary codes of conduct, such as the one the multistakeholder meetings on mobile apps is addressing.
“The drumbeats are getting louder,” Wolf says. “Eventually we will see comprehensive privacy legislation.”
In the meantime, the FTC is using its power to regulate deceptive and unfair trade practices to go after companies it believes are unduly infringing on consumer privacy rights. The agency is also finding new ways to apply old laws to current practices.
“In the past two to three years, the FTC has been completely re-energized—it is as if they put in new batteries,” says Michelle Cohen, a member at Ifrah Law. “In the absence of federal legislation, they have taken the lead on ensuring there is some privacy regulation, using their existing authority under Section 5 [of the FTC Act]. In some cases, they have reached back to 1970s laws such as the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act and applied them to situations where people used data in ways they deemed inappropriate. These somewhat sleepy statutes are being used in creative ways.”
A December 2012 FTC settlement with an online advertising company demonstrates how the agency is using its Section 5 power to extend its authority to one of the hottest privacy issues, online data tracking.
The FTC said in a press release that Epic Marketplace Inc. used “history sniffing” to secretly gather data from millions of consumers about their interest in sensitive medical and financial issues. Consumers who visited any of the 45,000 sites in the Epic network received a cookie, which stored information about the sites they visited and the ads they viewed. The cookies allowed Epic to “sniff” browsers to determine users’ online practices and then send them ads targeted to their interests, a practice known as online behavioral advertising.
According to the FTC complaint, Epic assigned each consumer an interest segment based on the sites visited, including “Incontinence,” “Arthritis,” “Memory Improvement” and “Pregnancy-Fertility-Getting Pregnant.”
“What is interesting about Epic is that they were collecting very, very personal information,” Gardner says. “According to the FTC, the sites included sites on infertility, incontinence, impotence and menopause. If you were visiting your doctor, this kind of information would be protected. Tracking really puts your information out there in a way that allows the tracker to paint a picture of your life.”
The industry is aware that consumer concern over such intrusions is growing. A voluntary effort by the World Wide Web Consortium (W3C) to develop a unified voluntary approach to Do-Not-Track browsing will resume this year with new leadership. The goal is a global standard for a computer browser setting that would allow Internet users to signal websites, advertising networks and data brokers that they do not want their browsing activities tracked for marketing purposes. The 2012 talks reportedly were acrimonious, but some think the newly appointed co-chairman, Peter Swire, an Ohio State University law professor who served as a privacy adviser to the Clinton administration, can get them back on track.
“If anyone can do it, Peter can do it,” Wolf says. “He’s a real diplomat and terribly knowledgeable.”
Data Broker Inquiry
In another hot privacy arena, the FTC announced in December 2012 an inquiry into the practices of nine data brokers—companies that collect and resell consumer data—and issued administrative subpoenas seeking information on how the companies collect, store, analyze and share data.
“There is concern among members of Congress and the FTC about data brokers because major portions of their business are not regulated under current law,” Baker says. “They have been around a long time, but now we have computers with more capacity, more sophisticated data analytics and more data. It’s the sheer mass of data that is pressing the issue now.”
Baker says the main concern of both regulators and legislators is that consumers don’t realize their data is being collected online and sold, and they have no control over it.
“This is a coming issue and one inside counsel should watch and think about how regulation could affect their business if they are customers of these folks, either as contributors of data or consumers of it,” he says.
Prior to launching the inquiry, the FTC used the FCRA to bring charges against data broker Spokeo in a case settled for $800,000 in June 2012. The FTC charged that consumer profiles compiled from online sources Spokeo sold to human resources departments and recruiters to use in employment screening were consumer reports covered by the FCRA. That law requires the seller of consumer reports to verify the purchaser has a permissible purpose for seeking them, follow procedures to assure maximum possible accuracy, and inform purchasers of their obligation to tell consumers if they take an adverse action based on information in the report. According to the FTC, Spokeo failed on all three counts.
More enforcement actions against data brokers are expected.
“As the collection of huge amounts of consumer information continues to increase, along with the proliferation of data brokers, expect to see the FTC taking action against these organizations, using the full panoply of laws and regulations at its disposal,” Cohen says. “They don’t necessarily seek to restrict all of that activity. They know there are good and proper uses of data collection. It comes down to [the consumer] understanding what is being collected, who it is going to and what you are consenting to.”